Enable TPM On Existing ESXi Host on Dell R340

itbymiket · 2025-06-17T17:46:32.800Z

I have a customer with a Dell R340 with VMware loaded on it. The server currently doesn’t have TPM enabled on it so I am unable to add a Windows 11 VM due to the lack of TPM.

Are there any potential issues that could arise just enabling TPM in the BIOS? The steps seem pretty simple. Put the host in Maintenance Mode, reboot, enter the BIOS and enable TPM and SHA-256 encryption.

Thank you.

Jay-Updegrove · 2025-06-17T18:27:37.045Z

Why would you spin up a desktop environment on ESXi? There probably aren’t any TPM issues assuming the hardware has it, but be sure your version of ESXi supports it before you start messing with things. What’s your version level?

Mike-ITByMikeT · 2025-06-17T18:41:04.760Z

I don’t know the exact build off the top of my head, but it’s 7.x.

Will enabling TPM in the BIOS stop ESXi from booting for any reason?

Suzanne-Spiceworks · 2025-06-17T18:46:53.607Z

Note: The person above does seem to be the same person that posted the question even though it is a different account. --Z

Jay-Updegrove · 2025-06-17T19:09:01.487Z

It shouldn’t prevent ESXi from booting, but it might not pass TPM to the VM’s you create even if you do turn it on. Research TPM in your 7X version, make sure it’s supported or you’ll be fighting an uphill battle…if the hardware is new enough to HAVE TPM 2.X installed, chances are it’s turned on in BIOS/UEFI and it’s just not supported by your level of ESXi.

Rod-IT · 2025-06-17T20:14:12.564Z

ITByMikeT:

The server currently doesn’t have TPM enabled on it so I am unable to add a Windows 11 VM due to the lack of TPM.

Before we get in to the physics, be aware you can’t just spin up a VM of any Windows desktop, you need specific licenses to be legal with these, notably an EA with SA or VDA licenses. Some 365 subscriptions allow this, but in most setups this is often too expensive compared to physical devices.

Mike-ITByMikeT:

Will enabling TPM in the BIOS stop ESXi from booting for any reason?

Unlikely. But before any major changes like this it’s always best to check your backups.

If i was you, I’d get your licensing sorted before you go down the TPM route, you can’t simply use an EOM/Retail or VL license for this and a datacentre license for your host doesn’t cover desktop OSes.

This has been covered so many times before.

There are some exceptions, such as trials, master build for OS deployment etc, but if this is an actively used device, get your licensing covered first.

Jay-Updegrove · 2025-06-17T20:17:55.029Z

Rod-IT:

Before we get in to the physics, be aware you can’t just spin up a VM of any Windows desktop, you need specific licenses to be legal with these, notably an EA with SA or VDA licenses. Some 365 subscriptions allow this, but in most setups this is often too expensive compared to physical devices.

So long as OP stays within the ‘eval period’ and either licenses the VM or deletes it from disk before it expires, they’ll be fine…but yes, need to be valid in license use!!

Did you note what ESXi version OP is running, by the way? 6.7X attempting to use TPM is not likely going to go well, as it was obsolete before TPM was even a thing!

phildrew · 2025-06-17T20:21:11.665Z

Just enabling the TPM will not do anything to the host. It will boot normally to vSphere ESXi.

Rod-IT · 2025-06-17T20:21:50.175Z

Jay Updegrove:

Did you note what ESXi version OP is running, by the way? 6.7X attempting to use TPM is not likely going to go well

That’s not what I seen.

Mike-ITByMikeT:

I don’t know the exact build off the top of my head, but it’s 7.x.

Jay-Updegrove · 2025-06-17T20:26:24.937Z

You’re right, I’m mixing up the two threads about nearly the same topic.

JohnFreeman · 2025-06-17T20:42:01.080Z

Enabling TPM in the BIOS is usually safe and straightforward, especially if you’re not currently using features like BitLocker or Secure Boot on the host. Just make sure the firmware is up to date and check VMware’s compatibility guide to ensure no conflicts. After enabling TPM and SHA-256, verify that the host boots cleanly before bringing VMs back online.

matthew-martin · 2025-06-18T06:57:55.837Z

The VM needs a virtual TPM 2.0 (vTPM) and vTPM does not require a physical TPM on the host. See the following for guides for adding vTPM to new or existing VMs:

Create a Virtual Machine with a Virtual Trusted Platform Module | Broadcom
Enable Virtual Trusted Platform Module for an Existing Virtual Machine | Broadcom

itbymiket · 2025-06-19T14:42:17.848Z

I tired to set it up with vTPM, but am getting the following error:

A general runtime error occurred. Key provider myesxi.local-vTPM is not compatible with the host 192.168.1.11. Reason: “The host does not support Native Key Provider.”

From what I read, ESXi 7.0 Update 2 Build 17630552 is required for vTPM. Installed version (I know it’s not the latest) is VMware ESXi, 7.0.3, 23794027.

Installed CPU is Intel(R) Xeon(R) E-2286G CPU @ 4.00GHz.

Server does not have a TPM module, I confirmed that earlier today, but I don’t believe it’s required for vTPM.

Thank you.

phildrew · 2025-06-19T15:13:33.952Z

ITByMikeT:

Server does not have a TPM module, I confirmed that earlier today, but I don’t believe it’s required for vTPM.

You do not meet the requirements to deploy a Win11 VM with a vTPM.

knowledge.broadcom.com

Creating new virtual machine with virtual Trusted Platform Module (vTPM)...

This KB article describes the process for creating a Virtual Machine with a Virtual Trusted Platform Module. A TPM or vTPM is required for some OS installations

Jay-Updegrove · 2025-06-19T16:30:44.428Z

OP - there’s your answer. System limitation.

matthew-martin · 2025-06-20T17:54:53.529Z

…“The host does not support Native Key Provider.”…

It looks like need to create cluster and use vSphere to use the Native Key Provider – a single host cluster if only one host or don’t want to cluster with another host.